July 1, 1998

Netscape Communications and O'Reilly & Associates have announced fixes for a bug that made it possible to view the source of server-side scripts on pages served by their respective Web server products.
The bug, discovered last week by The San Diego Source, makes it possible for users to view the source code of a Web page by appending certain characters to the end of a Web page address. In some situations, the bug will reveal the script for codes that are meant to be processed on the Web server and would not otherwise be visible.
On Wednesday, O'Reilly posted WebSite Profession 2.3, a point release that already was scheduled when the bug was discovered. Just before the upgrade's release, O'Reilly modified the code to address the glitch.
"If someone tries to view the source of a page using extra characters, WebSite Pro will generate an error instead of exposing the source for the page," said Martin Ogawa, O'Reilly's lead developer of its WebSite Professional.
According to Jim Obsitnik, product manager for Netscape's Enterprise Web server, Netscape will issue a patch Thursday that will fix all existing versions of Netscape Enterprise. That fix also will generate an error in the event that invalid characters are appended to the URL.
According to Russ Ryan, vice president of development for Chili!soft, that company issued a patch of its own Wednesday. One of Chili!soft's products, Chili!ASP, was found to be vulnerable to the bug. Chili!ASP is a program that allows developers to run Active Server Pages under non-Microsoft Web servers, including Netscape Enterprise.
So far, developers from every company affected by the bug have said that it is a problem with how Microsoft Windows handles file names, and not with their own products.
"The bug happens because in Windows there are some cases where the behavior of the OS is to ignore trailing space characters," Ryan said. "When the Web server sees a file extension with spaces at the end, it doesn't recognize it, and the file is treated as text. When the unrecognized file name gets passed to the OS, the extra characters are stripped away."
The Web server software then will open the file as text rather than execute it.
"It's unfortunate that nobody knows about this behavior in the operating system. It can introduce bugs unless developers address these issues on a individual basis," Ryan said.
Sun Microsystems, which has confirmed that its own Web server software, called Java Web Server,also was affected, has said it also will issue a patch.
Users of products that will not be patched, such as Process Software's Purveyor, still may be able to protect their data, says Joseph Schmitt II, a programmer at the San Diego Source who helped identify the bug.
"Even without a patch, an administrator can protect the source of a server side script by using NT's file permissions. An administrator can set the permissions so that files containing server side scripts are executable only," Schmitt said.
"This way, the actual source code of the script would be protected, even if the Web server software was still vulnerable."